Improved building system technology is making today’s smart buildings safer, more energy efficient, and more attractive to tenants. But ESD, now Stantec Studio Leader and Senior Security Consultant Coleman Wolf says building automated system (BAS) improvements could come with new vulnerabilities. (Read more about intelligent building security.)
As cybercriminals become more stealthy by using access to internet of things (IoT) devices to eventually breach sensitive data, information technology (IT) and operational technology (OT) teams need to work more closely to prevent attacks.
Historically, when it came to IT security, responsibility started with an IT team and ran all the way up the line to a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) and eventually to the company’s Chief Executive Officer (CEO). According to Cybersecurity Practice Leader, Bryan Bennett, it may be time to expand this C-suite chain of responsibility. That is because “smart” building systems are becoming more integrated with IT systems than ever before. Bennett says previously ignored OT devices led to a false sense of security for many building managers.
According to Bennett, the ambiguity surrounding the question of who should be responsible for cybersecurity must end. He believes companies will adopt the most appropriate reporting structure tailored to specific business practices. A manufacturing facility, for example, may focus extra attention on building systems with a robust OT team, while a more data-driven operation may choose to maintain a more traditional IT approach. In both cases, however, increasingly connected IoT devices must be accounted for to maintain information and operational technology cybersecurity.
International Data Corporation (IDC) predicts that by 2025 there will be over 55 billion connected devices worldwide with 75% integrated with an IoT platform. Bennett says this growing proliferation of connected devices demands a more robust security routine. He believes while companies will continue to support IT and OT daily operations, with one notable addition. There should also be a liaison working between the two groups to coordinate maintenance, updates, and mitigating risks. Should a cyber intrusion be detected, the IT team would immediately go into action to contain the attack.
This article was subsequently posted by leading industry publication Consulting-Specifying Engineer (CSE) magazine.
Bryan Bennett has been evangelizing for better IT security strategies for over a quarter-century. His mission to protect organizations from the financial, reputational, and individual costs associated with cybercrimes fits well with ESD’s mission to improve society through the built environment.